This Page Is Inserted by IFW Operations 
and is not a part of the Official Record 



BEST AVAILABLE IMAGES 

Defective images within this document are accurate representation of 
The original documents submitted by the apphcant. 

Defects in the images may include (but are not limited to): 

• BLACK BORDERS 

• TEXT CUT OFF AT TOP, BOTTOM OR SIDES 

• FADED TEXT . 

• ILLEGIBLE TEXT 

• SKEWED/SLANTED IMAGES 

• COLORED PHOTOS 

• BLACK OR VERY BLACK AND WHITE DARK PHOTOS 

• GRAY SCALE DOCUMENTS 

IMAGES ARE BEST AVAILABLE COPY. 



As rescanning documents will not correct images, 
please do not report tlie images to the 
Image Problem Mailbox. 



THIS PAGE BLANK (uspto) 




ELSEVIER 



Signal PuHXSsing: hfuige CommunUation 16 (2001) 6K1-699 



SIGNAL PROCESSING: 

IMAGE 

COMMUNICATION 



www.elsevier.nl/UK'ate/iniaae 



An overview of multimedia content protection in 
consumer electronics devices 

Ahmet M. Eskicioglu^ *, Edward J. Delp"^ ' 

"Thomson Cansumer Electronics, Cqrporate Research, 101 103rd Street, Indianapolis, IN 46290-1102, USA 
^ Video and Image Processing Laboratory (VIPERi. Schmjl of Electrical and Computer Engineering. Purdue University, 

' West Lafayette, IN 47907-12^5, USA 

Received 15 March 2(KK); accepted U) August 2(KK) 



Abstract 

A digital home network is a cluster of digital audio/visual (A/V) devices including set-top boxes, TVs, VCRs, DVD 
players, and general-purpose computing devices such as personal computers. The network may receive copyrighted 
digital multimedia content from a number of sources. This conlenl may be broadcast via satellite or terrestrial systems, 
transmitted by cable operators, or made available as prepackaged media (e.g., a digital tape or a digital video disc). Before 
releasing their content for distribution, the content owners may require protection by specifying access conditions. Once 
the conrent is delivered to the consumer, it moves across the home network until it reaches its destination where it is 
stored or displayed. A copy protection system is needed to prevent unauthorized access to bit streams in transmission 
from one A/V device to another or while it is in storage on magnetic or optical media. Recently, two fundamental groups 
of technologies, encryption and watermarking, have been identified for protecting copyrighted digital multimedia 
content. This paper is an overview of the work done for protecting conlenl owners* investment in intellectual 
property. <0 2001 Flsevier Science B.V. AH rights reserved. 

Keywords: Multimedia; Copy protection; Cryptography; Watermarking; Consumer electronics; Digital television; Digital video disc; 
Digital video cassette: Home networks 



1. Introduction 

In the entertainment world, original multimedia 
content (e.g., text, audio, video and still images) is 
made available for consumers through a variety of 
channels. Modem distribution systems allow the 



* Corresponding author. 

E-mail addresses: eskiciogluacauce.coin (A.M. Eskicioglu), 
ace(a>ecn.purdue.edu (1;.J. IX-lp). 

' Portions of this work done by E.1D were supported by the 
sponsors of the Center for Education and Research in Informa- 
tion Assurance and Security at Purdue University. . 



delivery of content to millions of households every 
day. Although legal institutions exist for protecting 
intellectual property (trademarks and patents) 
owned by content creators, complimentary tech- 
nical measures are needed to sustain financial re- 
turns and to ensure incentives for new creations. 

In order to sec the increasing importance of 
protecting copyrighted conlenl, one should under- 
stand an essential difl'erencc between old and new 
technologies for distribution and storage. Prior to 
the development of digital technologies, content 
was created, distributed, stored and displayed by 
analog means. The popular video cassette recorders 



0923-5965/01/$- see front matter 2001 Elsevier Science B.V. All rights reserved. 
PII: S0923-5965(0O)00050-3 



3NSDOCI0: <XP „ .4232133A.. I > 



A.M. Kskiaioglu, EJ. Delp / Signal Processing: Image Communication 16 (2001) 6SI-699 



(VC'Rs) i»r the 198()s introduced a revolutionary 
way of viewing A/V content, but ironically allowed 
unauilu>ri/ed copying, risking the investments 
made in iniellectual property. An inherent charac- 
lerisiics of analog recording, however, prcvenled 
piracy elTorts to reach alarming proportions. If 
a taped content is copied on a VCR, the visual 
quality of the new, i.e., the first -generation, copy is 
reduced. I 'urther generational copies result in no- 
ticeably less quality, decreasing the commercial 
value of the content. Today, reasonably ellicient 
analog copy protection methods exist, and have 
recently been made mandatc^ry, in consumer elec- 
tronics devices lo further discourage illegal analog 
copying. An example of such a system was de- 
veloped by M^acrovision- whereby features of the 
analog composite video signal are modified to pre- 
vent copying. 

With the advent of digital technologies, new 
tools have emerged for making perfect copies of the 
original content. A quick review of digital repres- 
entation of data will reveal why generational copies 
do not lose their quality. A text, an image or a video 
is represented as a stream of bits (Os and Is). This 
representatii>n can be conveniently stored on mag- 
netic or optical media. Since digital recording is 
a process whereby each bit in the source stream is 
read and copied to the new medium, an exact 
replica of the content is obtained. Such a capability 
becomes even more threatening with the ever in- 
creasing availability of Internet, an immense and 
boundless digital distribution mechanism. Protec- 
tion of digital multimedia content therefore ap- 
pears to be a new and crucial problem for which 
immediate solutit>ns arc needed. 

Three major industries have a great interest in 
this problem: 

1. motion picture industry, 

2. consumer electronics (CH) industry, 

3. information technology (IT) industry. 

The content owners are the motion picture 
studios. Their content (movies) is displayed or re- 
corded on devices manufactured by consumer elec- 
tronics companies. The information technology 
industry manufactures general purpose computing 



~hU|>://www.inacrovi.sion.c()in/ 



devices, such as personal computers, which can also 
be used to display and store content. 

Research conducted by the CE and IT industries 
has revealed two promising groups of technologies. 
Encrypt ion -based technologies transform content 
into unintelligible or un viewable form. This trans- 
formation, being reversible in nature, allows perfect 
recovery of content. Both symmetric and public key 
ciphers are commonly used for content security and 
authentication (see Section 4). Technologies based 
on watermarking serve several purposes: identifica- 
tion of the content origin, tracing illegal copies and 
disabling unauthorized access to content. 

This paper highlights recent developments in 
protecting copyrighted multirnVdia content. The 
exact details of the copy protection systems will 
be omitted throughout the presentation due lo 
security issues and for the protection of intellectual 
property. 



2. What is the copy protection problem? 

2,1. Problem definition and possible approaches 

The home network depicted in Fig. 1 may receive 
content from a variety of sources, including cable 
operators, satellite or terrestrial broadcasters, and 
telephony centers. Pre-recorded media is also con- 
sidered to be a content source. A commonality of 
all these sources is that they protect the content in 
some private way before delivery. Examples are the 
protection provided by the DirecTV Digital Satel- 
lite System (DSS) system and the Content Scramble 
System (CSS) for DVDs. When the scrambled con- 
tent reaches the "boundaries" of the network, an 
authorized "access device" (a DSS set-top box or 
a DVD player) descrambles the stream, and makes 
it available for display or storage. The content then 
has to be sent to a display or storage device. 

A global copy protection framework needs lo 
address two problems: protection of content in 
transmission and protection of content in storage. 
Copy protection technologies ofl'er methods and 
tools to prevent unauthorized access. The ap- 
proaches used in deploying these technologies can 
fit into two broad categories: 



BNSDOCID:<XP 4232133A I > 



A.M. Eskicioglu, E.J. Delp I Signal Processing: Image Communicatiun 16 (2001) 681-699 



683 



Satellite or terrestrial 
network operator 



O 



Cable network 



Protecicd 
content 



Operator 



o 



ProiccKfi 
conient 



Home network 



Internet 



ctwiteni 



jStT 

car 
JSrt 



DVCR 



DVD 
Player 



o 



DT 



Proiectcil I 
conicnl 




/ Protected 
content 



Fig. 1 . Sources of content for home networks. 



With feedback provided by the conient owners, 
the CE and IT industries have been developing 
solutions in specific areas. The CSS, for example, 
provides protection for content recorded on DVD- 
ROM discs (see Section 7). Other systems are pro- 
posed for securing the IEEE 1394 interface, and 
preventing unauthorized copies on recordable 
DVDs (DVD-R/RW/RAM). 

An alternative approach is to develop global 
architectures based on removable security devices. 
Such architectures are considered extensions of 
conditional access systems, restricting viewing 
when the consumer does not have the correct en- 
titlements (sec Section 10). The National Renew- 
able Security Standard (NRSS) provides a means 
for separating the security functionality from navi- 
gational devices (sec Section 9). 

The recording industry is another major player 
in the copy protection arena who has chosen a sep- 
arate path to develop a solution for musical 
content. The recent launch of the Secure Digital 
Music Initiative (SDMI) is an indication of the 
strong need for secure distribution of music (see 
Section 11). 

2.2. Various ty^pes of attacks 

It is important to keep in mind what attacks are 
supposed to be prevented in a copy protection 
system. Generally, the following categories of 



attack are discussed: 

• Commercial piracy: a commercial entity steals 
content, makes a master, and begins making and 
selling illegitimate copies. None of the copy pro- 
tection systems discussed in this paper help with 
this problem. Commercial entities that can cre- 
ate a manufacturing faciUty will always be able 
to get to a clear bitstream, or simply to duplicate 
a pre-recorded content. The key to fighting this 
type of piracy is tracing the source of the illegit- 
imate content and taking legal action. Water- 
marking may be of best use here. 

• ''Garage" piracy: an individual with smaller re- 
sources makes a few dozen or hundred illegit- 
imate copies and sells or barters them. It is also 
probably true that none of the copy protection 
systems can defeat this pirate. A "garage" pirate, 
skilled in engineering, will be able to take apart 
his TV/VCR/STB, and probe a PC board for 
a clear bitstream (which is present in all current 
products, and will be for several years). However, 
a useful deterrent is to void instrument the war- 
ranty if it is so modified. This will discourage 
most of the population. Once again, legal means 
are probably the only way to fight this type of 
piracy, and watermarks may turn out to be help- 
ful as a tracing tool. 

• **Ant" piracy: an individual wants to make a few 
copies of something for his friends, relatives, or 
even for his own use. In general, this person will 



3NSDOCID: <XP 4232133A . I > 



r 



A.M, £skicioglu. EJ. Delp / Signal Processing: Image Communication 16 (2fH)l) 667- 



699 



have very limited resources, and will not be 
skilled in engineering. Ant piracy is prevented by 
the copy protection systems shown here. 

2.3. Design factors 

All security systems based on encryption and 
watermarking are bound to be broken in time given 
sufficient resources. Hence, a number of important 
factors need to be taken into consideration in de- 
signing systems for protecting content in CH 
devices. These include robustness, renewability and 
cost. 

Rohnstnes.s: Refers to how strong the system is 
against conceivable attacks. Every successful design 
should produce a security system that is sufllcienlly 
robust for the application it is used for. 

Renewability: When a protection system is 
hacked, there must be a way to replace it with 
a new, more robust system. This general concept 
can be implemented in two fundamental ways. (1) 
Replacement of renewable security device: all the 
security functionality is assigned to a renewable 
device such a smartcard. When its secrets are dis- 
closed, it is simply replaced by a new card. (2) 
Revocation of CC device: the secrets are embedded 
in the CE device, and cannot be removed. If the 
device is understood to be a pirate device, it is not 
allowed to receive copy-protected content. 

Cost: The CB industry is in a constant effort to 
minimize the cost of manufacturing so that the end 
product is atVordablc for the consumer. Any addi- 
tional cost needs to be justified from the consumer's 
viewpoint. 

There is a critical balance between the robustness 
and cost of copy protection systems. A system 
should neither be too expensive nor easily hack- 
able. Ideally, every security system needs to be 
renewable to minimize the damage caused by a sys- 
tem hack. However, the transition to the new 
system should be transparent to the customer. 

3, WlPO^and digital fnillenniuiii copyright act 

The World Intellectual Property Organization 
(WlPO) is an intergovemmental United Nations 
organization with headquarters in Geneva, Swit- 



zerland. It is responsible for the promotion of 
the protection of inlclleclual property throughout 
the world through cooperation among States, and 
the administration of various multilateral treaties 
dealing with the legal and administrative aspects of 
intellectual property. 

Intellectual property comprises two main branches: 

• Industrial property: chiefly in inventions, trade- 
marks, industrial designs, and appellations of 
origin. 

• Copyright: chiefly in literary, musical, artistic, 
photographic and audiovisual works. 

The number of member States as of 15 April 1999 
was 171. Members include -S^^jtzerland, member 
states of the European Union, USA, China and 
others. 

WlPO Copyright Treaty and WlPO Perfor- 
mances and Phonograms Treaty were adopted by 
a WlPO conference in Geneva on 20 December 
1996 based on existing international treaties (the 
Berne Convention for the Protection of Literary 
and Artistic Works as revised in Paris on 24 July 
1971, and the Rome Convention for the Protection 
of Performers, Producers of Phonograms and 
Broadcasting Organizations of 26 October 1961). 
Before becoming binding law in the member states, 
the provisions of the treaties have to be ratified by 
the member States and national legislation has to 
be amended. It is not mandatory for WlPO Mem- 
ber States to ratify the treaties; however, the most 
important Contracting Parties, among them the 
USA, were expected to do so. 

The Digital Millennium Copyright Act (DMCA) 
1 11] was prepared to amend title 17, United States 
Code, to implement the WlPO Copyright Treaty 
and WlPO Performances and Phonograms Treaty, 
and for other purposes. It includes five titles: 

• WlPO Treaties Implementation, 

• Online Copyright Infringement Liability Limita- 
tion, 

• Computer Maintenance or Repair Copyright 
Exemption, 

• Miscellaneous Provisions, 

• Protection of Certain Original Designs. 

How the DMCA will be used to enforce copy 
protection is an open question. The movie industry 
used the DMCA to sue individuals who attacked 
the Content Scramble System (CSS) system. With 



BNSDOCID: <XP 4232133A_L> 



A.M Eskicioglu, EJ. Dclp /Signal Processing: Image Communication 16 (2001) 681-699 



685 



regard lo watermarking, the applicability of the 
DMC A may not be obvious. It is widely believed 
ihai ir one attempts to deliberately remove or at- 
tack a watermark then this a violation of the 
DMCA. However, does the DMCA require that 
a watermark has to be detected if one is present in 
the content? 



4. Basic concepts and definitions in cryptography 
and watermarking 

have a heller understanding of the impact of 
protection metJiods on consumer electronics devi- 
ces, we will start with a summary of basic concepts 
anil deruiilions in cryptography and watermarking. 

4.L Ctyptography 

Crypli^graphy [ 7,8,23,25,29] deals with the con- 
ccahnent and protection of digital information. The 
suulv of cryptographic techniques is more than 
400 years old. Shannon's 1949 paper [30] that con- 
nected cryptographic techniques with digital com- 
munication theory is thought by many to be the 
bcLiinning of "modern" cryptography [20]. 

A cryptographic system consists of five elements: 
a plaintext message space, a ciphertext message 
space, a key space, a family of enciphering trans- 
formations, and a family of deciphering trans- 
fi)rmaiii»ns. In modern crypt osystems, the 
enciphering and deciphering transformations are 
public, only the keys need to be kept secret. Cryp- 
tanalysis is the science and study of '^breaking" or 
attacking ciphers. 

Ciphers can be classified according to two im- 
portant criteria: (1) symmetric versus asymmetric 
and 12) stream versus block. 

In a symmetric key cipher, enciphering and de- 
ciphering keys are the same or can easily be deter- 
mined from eacli other. Asymmetric key systems 
(public key systems) dilTer in such a way that at 
least one key is computationally infeasible to deter- 
mine from the other. The key used for encryption is 
publicly available, while the corresponding decryp- 
tion key should be kept confidential all the time 
[9,10]. 



A stream cipher breaks the message M into suc- 
cessive characters or bits n2,,i«2,'W3, and en- 
ciphers each nii with the /th element- A:,- of a key 
stream K = A:,^-2^'3» A block cipher breaks the 
message M into successive blocks A/i , M2, A/^, - . » 
and enciphers each A/, with the same key K. 

An example of symmetric and asymmetric key 
ciphers is shown is P1g. 2. When the two parties 
A and B want to communicate securely, each ap- 
proach introduces key management problems. In 
case (a), both parties need lo have a copy of the 
symmetric key, the distribution of which is a non- 
trivial problem. The problem with case (b) is the 
authentication of the public ,kcy Jhat is used for 
encryption; A needs assurance that it has the public 
key that actually belongs to B. 

Using public key cryptographic techniques, one 
can provide assurance about the integrity or relia- 
bility of a pubhc key or other types of data. This is 
usually referred to as authentication [29]. There 
are two types of authentication protocols. In mess- 
age authentication, a party is corroborated as the 
original source of specified data created at some 
time in the past. In entity authentication, one 
party is assured of the identity of a second parly 
involved in a protocol, and that the second party 
has actually participated. 



Key. k 




Kcv, k 


i 




1 






















aimmimicaiion 
cliannel 










t 

Plauiicxi. M 


i 

Plaiiiicxt, M 


A 


(a) 


B 


Ke>', kpubB 
i 




Kcv. kpriD 




















communication 
channel 










t 

Plaintext. M 


i 

PImtiicxi. M 



A B 

lb) 



Fig. 2. Encryption: (a) symmetric key, (b) asymmetric key. 



3NSDOCID: <XP 4232133A_L> 



A.M. Eskicioglu, EJ. Delp / Signal Processing: Image Communication 16 (2001) 6if 1-699 



A digital signature [29], which associates a mess- 
age with some originating entily, can be construc- 
ted with public key systems. Each digital signature 
scliemc includes a signature generation algorithm 
and a signature verification algorithm. A public key 
ceruficatc [23] is a digitally signed message consist- 
ing of two parts which can be used lo authenticate 
a public key. The '*dala part" includes the public 
key that is being authenticated, as well as other 
information such as the issuer, the owner, and the 
validity period of the pubUc key. The "signature 
part" is the signature on the data part generated by. 
thc issuer of the certificate. 

-4.2. Watennarking 

Watermarking [24,31] is the process of embed- 
ding data (or controlled distortion) into a multi- 
media element such as image, audio and video. This 
embedded information, known as the watermark, 
can later be extracted from the multimedia and 
used for security purposes [19 1. In multimedia ap- 
plications, the watermark should be invisible or 
inaudible to the human observer (visible water- 
marking techniques do exist) [33J. A watermarking 
algorithm consists of the watermark structure, an 
embedding algorithm and an extraction or detec- 
tion algorithm. Watermarks can be embedded into 
multimedia directly (e.g., the time domain) or after 
the multimedia element has been transformed (e.g., 
the discrete cosine transform) 16]. Performance 
issues include robustness to attack (attempts to 
remove the watermark), capacity (how bits can be 
hidden in the multimedia) and how transparent is 



the watermark under normal viewing or listening 
conditions. There has been a tremendous amount of 
work done in watermarking in the past 6 years [24], 

Typical uses of watermarks include identification 
of the origin of content, tracing illegally distributed 
copies, and disabling unauthorized access to con- 
tent. A mature robust watermarking technology 
should be resistant to many types of attacks and 
normal A/V processes such as noise, filtering, re- 
sampling, cropping, data compression, and A-to-D 
and D-to-A conversions. 

There is an important difference between encryp- 
tion and watermarking in enforcing protection. 
With an encryption-based tecligplogy, it is possible 
to protect content (video or audio) because licensing 
allows the implementer to have access to the keys. If 
keys are not available, content cannot be accessed. 
Watermarks do not preclude access to the water- 
marked content. The receiving device needs to have 
the detection capability. Thus, a legal mechanism is 
needed to enforce the manufacturers to implement 
detectors in devices. In the US, no such legislation is 
expected in the future. Nevertheless, hybrid tech- 
nologies with encryption and watermarking may 
address this Hmilation through Hcensing. 

4.3. Mulii layer protection by encryyption and 
watermarking 

Encryption or watermark based technologies 
can be independently used for protecting multi- 
media content. However, it is possible lo implement 
both in the same application, providing a two-layer 
protection. As shown in Fig. 3, the content may 



Walemiiirk 
inscnion 

i 


Kcy.k 

1 




Key, k 

i 


Watennark 
detection 

i 




Mv.in 












M,„. -=Dk(C) 














communication 






T 




channel 








J 




Hlainiexi 








Waiermarkcd 


message. M 








message. M 





A B 



Fig. X Two-layer proteaion. 



-GNSDOCID: <XP 4232133A_L> 



.4.A/. Eskicioslu, EJ. Delp / Signal Processing: Image Communicalion 16 (2001) 667- 



687 



have been watermarked immediately after creation. 
The sending parly encrypts the watermarked con- 
lent to provide the second layer of protection. At 
the receiving end, the stream is decrypted before 
watermark detection takes place. 



5, The beginnings 

The work on copy protection started almost four 
years ago. Al tlie beginning of 1996, a bill was 
drafted as a result of collaboration between con- 
sumer electronics companies and content owners. 
The "Video Home Recording Act of 1996"' was 
intended to amend title 17, United States Code, to 
^^^overn the importalion, manu fact are and distribu- 
tion of digital motion picture recording and related 
services, to prohibit certain copyrighted infringement 
actions, and for other purposes"". One section of the 
Act was a technical reference document for estab- 
lishing the standards and specifications for imple- 
menting technological management of consumer 
copying of linear motion pictures. Before the bill 
was actually submitted to the US Congress, the 
three industries (CH, IT and motion picture) 
wanted to resolve all outstanding issues, and agreed 
to create a forum for discussion. 

The forum gave birth to a plenary group which 
was comprised of both technical and policy repre- 
sentatives of the member companies of the 
MPAA,-^ CHMA,** BSA,^ ITIC^ and R1AA\ Each 
expertise group (technical and policy) was assigned 
a specific task that was completed in late June of 
1996. The findings were presented in two reports on 
21 June 1996. The report of the policy group sum- 
marized the exploratory discussions regarding the 
concepts of anti-circumvention in conjunction with 
the introduction of digital video technologies, and 



^Motion Piclurc Association of America (htip:// 
www.mpaa.orgl. 

Consumer Eleclronics Manufacturing Ass<H;ialion (now 
known as the Consumer Electronics Association, http:// 
www.cc.org). 

Business Software Alliance (hltp://www.bsa.org). 
*lnfonnation Technology Industry Council (hUp:// 
www.itic.org). 

''Recording Industry AsstH:iation of America (hitp:// 
www.riaa.org/). 



the key policy considerations to be weighed in 
making decisions about specific technical and legis- 
lative proposals. Focusing on technical issues, the 
other group identified and evaluated the technical 
approaches to protect content in analog or digital 
form, delivered by direct electronic transmission or 
prerecorded media. After these presentations, the 
technical group, now known as the Copy Protec- 
tion Technical Working Group [2] (CPrWG), 
continued discussing copy protection problems. It 
is still active today, having monthly meetings to 
discuss the current issues. 

In the past three years, CPTWG formed working 
groups to focus on specific problems [3J. Two of 
the most active groups were the Digital Transmis- 
sion Discussion Group (DTDG) and the Data Hid- 
ing Subgroup (DHSG). 

The DTDG was created on 3 October 1996. Its 
scope was to define a data protection system (DPS) 
that can be used to protect digital audio/video 
transmitted on the IEEE 1394 high performance 
serial bus [321. The architecture developed for DPS 
had three layers: 

1. Copy Control Information (CCI) Layer 

- a means of carrying information along with 
the copyrighted content that expresses the in- 
tentions of the copyright holder with regard to 
the conditions under which an end consumer is 
authorized to make a copy. 

2. Device Authentication and Key Exchange Layer 

- a means of a compliant device to establish the 
authenticity of another device prior to exchang- 
ing copyrighted content, and also to generate the 
keys for data encryption. 

3. Data Encryption Layer - a means of encrypting 
the copyrighted content when it is transmitted 
from one compliant device to another compliant 
device in digital form. 

The DTDG issued a Call for Proposals on 11 
March 1997, and published its "Review and Find- 
ings"" report |27] summarizing the technical fea- 
tures of the submitted proposals. After completing 
its task, the DTDG closed in February 1998, Five 
of the proposals included in the DTDG report later 
merged to form tlie 5C group [4 J. 

The DHSG was created on 6 May 1997. Its scope 
was to define a data hiding system that can be 
used to mark video content for the purposes 



3NSDOCIO: <XP 4232133A_I.> 



A.M. Eskicioglu, E.J. Delp f Signal Processing: Image Communication 16 (2001) 6SI-699 



of idcnlirying marked material and preventing 
unaulhorizcd recording/playback. The Call for 
Proposals issued on 1 July 1997 identified a set of 
essential and desirable requirements for the system. 
The Interim Report 121] published by DHSG in- 
cluded I lie performance of seven proposals during 
visibility and survivability tests. 

Uecause of prolonged discussions, the Video 
i liMiie Recording Act of 1996'' could not be submit- 
ted \o the US Congress. 

6. Desirable attributes for a copy protection system 

The iirsi step in developing a system in any field of 
engineering is (o determine the system requirements. 
Allhtuigh work on copy protection had been conti- 
nuing for some time, a list of desirable attributes 
applicable to a copy protection system was not 
available until recently. Recognizing the need, 
(T!MA put together a list, and presented it to the 
MI*AA. Instead of providing feedback to CEMA's 
wtirk. the MPAA chose to publish its own list. 
lri»nically, both lists were created long after the 
tlevelopnient of some of the copy protection systems. 

6. /. CEMA list 

The attributes are presented in three groups: 
Cieneral 

1. OlVers a sutlicient level of security to *'ke(ep 
honest people honest". 

2. Is likely to achieve broad multi-industry con- 
sensus and receive support of industries parti- 
cipating in the CPTWG. 

Technical 

3. Is renewable. 

4. Is applicable to one or more of the following 
four interfaces: IEEE 1394, RF Remodulator 
(Section 9), NRSS A&B (Section 9), and Com- 
ponent Video. 

5. I las low complexity in implementation, opera- 
tion, maintenance and administration. 

6. l*rovides transmission and storage protection. 

7. Docs not result in perceptible degradation of 
content. 

8.. Does not inhibit desirable and currently avail- 
able features on CE products such as trick play. 



9. Is extendable to general-purpose computing 
architectures, allowing interoperability of CE 
and general-purpose computing -devices. 

10. Has components available competitively from 
as large a number of sources as possible. 

Consumer 

11. Allows time shifting of transmitted content 
(i.e., recording) for fair use. 

12. Allows place shifting of content (e.g., the ability 
to play a lawfully made recording at a friend's 
house on comphant equipment). 

13. Allows free copying of content, including over- 
t he-air and non-premium sjjryices, accommod- 
ates generational control of premium services, 
and permits the copyright owner to prevent 
copying of pay-per-view and video-on-demand 
services as well as prerecorded content. 

14. Can accommodate changes without impairing 
the ability of the existing equipment to operate 
with new content or new equipment to operate 
with old content. 

15. Can include features or accommodate changes 
without rendering recorded material un view- 
able to the extent that user has expectation of 
vicwability. 

Legal 

16. Does not introduce import or export problems 
for the United States and other major markets. 

17. Includes a technological measure which per- 
mits legal enforcement against circumvention. 

18. Is licensed in accordance with the CEMA Intel- 
lectual Property Rights (IPR) policy. 

19. Preserves consumer's legal rights of use, includ- 
ing the first sale doctrine. 

When the hst was completed, it was presented to 
the CPTWG in March 1999, and later discussed 
with the MPAA in April 1999. 

6,2. MPAA list 

After reviewing the CEMA list, the MPAA pub- 
lished its own hst of ^'attributes of a security envi- 
ronment for distribution of protected high value 
content''. In this list, distributed in May 1999, 
*'Approved" means acceptable to owners of legally 



BNSCXX:iD: <XP 4232133A_I_> 



.I.A/. E<kh:iuvlu, LJ. Delp j Signal Processing: Image Communication 16 (JOOl) 6A7- 



689 



pr^iiccicd liigli value conlcnl exercising, their indi- 
vuliuil discretion, lor the purpose of protecting law- 
lul riiihis. It is assumed that all content referenced 
in ihc list is legally protected, high value content. 
I lie list rcHccls the views of the individual member 
companies of the MPAA. All decisions as to 
whcihcr particular technologies are acceptable, 
whether to invoke any particular level or form of 
o»pv protection, and other matters are for unilat- 
eral, independent determination by individual 
meniber companies. 

MPAA attributes of a security environment for 
distribution of protected high value content: 

1. The following is applicable to all linked trans- 
port, display and recording devices. 

:. rhe same 'principles apply to Ci: and IT devi- 
ces. 

3. Digital bit streams are never *in the clear'' (i.e., 
are always encrypted). 

4. Bidirectional*^ digital output is allowed only 
with Approved digital technology protection 
te.g,, 5C\ if Approved). 

. 5. Unidirectional digital output is allowed only 
with appriwed digital technology protection 
(e.g., XCA (see Section 10), if Approved), 
(i. Standard definition analog video output 
(NTSC and PAL: 4S()l, 4S0P and 5761 lines) . 
must be protected by an Approved Analog 
Protection System lAPS) (e.g., Macrovision) 
and marked by CXjMS-A.*' 
7. All high defmition analog video output (greater 
than 4S0P, e.g., 720 or 1080 lines) must be 
protected by an Approved analog protection 
technique. (I'l^r example, a video scrambling 
technique, yet to be determined and approved. 
A future system based on watermarking and 
requiring response under legislation may also 
be suitable.) 

S. All video inputs (digital and analog) must look 
for and respond to an Approved watermark 
standard. 



*'(\niuinicalK»n is allowed iii cilhci dircclion across ihc inlcr- 
facc. 

*^( \>py Cicncralion Manaucincnl System - Analog: A system 
Tor eiicodiniZ copy control inlorinaiion in transmissions and 
prerect>rdcd ct>pi*-*ii ciMileiil in analog formal. 



9. Licensed devices with recorder function must 
respond to copy protection flags (CGMS-A, 
Macrovision, and watermarks). - 

10. When only one copy Tcopy once'^) is allowed, 
such copy must be recorded using an Approved 
copy protection technology in a manner that 
does not allow access to the content by non- 
participating devices and that does not allow 
further copying. 

11. Content providers should be granted express 
third-party beneficiary rights to enforce li- 
censes. 

12. Specific devices should accommodate Ap- 
proved revocation and .jenewabilily mecha- 
nisms. Content providers shall have the right 
to invoke revocation/renewal. 



1. DVD protection 

7,1. DVD video 

The first problem addressed by CPTWG was the 
protection of content on DVD Video discs de- 
veloped by the DVD Consortium (now known as 
the DVD l^'orum). The DVD Consortium was 
started as an ad hoc group in December 1995 to 
promote a single format for a large capacity disc, 
now known as DVD. The founding members were 
Hitachi, MEl, Mitsubishi, Philips, Pioneer, Sony, 
Thomson, Time Warner, Toshiba and Victor. With 
over UK) member companies today, the DVD Fo- 
rum delines the specifications for DVDs. Currently, 
it has eight working groups: WGl: DVD Video, 
WG2: DVD-ROM Physical Format, WG3: DVD 
File System, WG4: DVD Audio, WG5: DVD-RAM 
Physical Formal, WG6: DVD-R/RW Physical 
Formal, WG9: DVD Copy Protection, WGIO: 
DVD Professional Use. 

Several proposals were studied by the DVD Fo- 
rum and CPTWG. After much discussion and criti- 
cal review, the DVD Forum recommended the 
proposal developed by MHl and Toshiba lo the 
relevant industries. Known as the CSS, the system 
consists of a private scrambling system with multi- 
layer key management. Scrambling takes place at 
the disc manufacturing location before the discs 
are pressed. As shown in Fig. 4, the CSS-protected 



3NSDOCID: <XP 4232133A I > 



A.M. iCskiciuglu. EJ. Delp / Signal Processing: Image Communication 16 (2001) 6SI-699 




CSS^ramblcd content 



Dcscrainbltrs 
DVD contenl 
Decompressej? 
DVD content 



NTSC 



Audio (ACS, stereo) 



DVD player 
Fig. 4. CSS on a DVD player. 




CSS-scrambled content 



Mutual 
authentication 



Descrainblcs 
DVD content. 
Dccuin|>ivs<;e» 
DVD contcnL 



DVDROM drive 



DVD A.'V decoder 



RGB, N*rSC 



Audio (AC3» Stereo) 



PC 



Fig. 5. CSS on a PC system. 



conlenl is dcscramblcd during playback on a DVD 
player. The (^SS has been very much in the news 
lalely because a group of computer hackers has 
successfully attacked CSS [26]. Note that the first 
generation players are allowed to have NTSC (ana- 
log) output only. An analog protection system 
(APS) developed by Macro vision results in degra- 
dation in unauthorized copies made on VHS re- 
corders. 

Fig. 5 shows the additional element needed in 
CSS for implementation on a PC system. The DVD 
drive and the PC participate in mutual authentica- 
tion before the scrambled content is sent to the 
descrambler. This allows each party to check if the 
other participant is authorized to handle CSS 
scrambled content. 

The DVD Copy Control Association (CCA) is 
the entity created to license the CSS technology. 
The CSS Specifications are provided for each licen- 
see to have access to the appropriate information 
for implementation. It includes two sections: pro- 
cedural and technical. The procedural section pro- 
vides the terms and conditions of the use of CSS 
specifications, while the technical section, desig- 
nated specifically for particular membership cat- 
egories, describes the system components. 



7.2. DVD audio 

The experience gained in DVD Video protection 
has helped considerably in determining an architec- 
ture for protecting prerecorded DVD Audio discs. 
An important factor taken into consideration for 
this architecture was the existence of the compact 
disc (CD), the first generation of digital audio for- 
mal. It was argued that since a large population of 
CD players were still in the field, the consumers 
would most likely desire to have copies on record- 
able CD media during the transition period. 

With input from the major recording studios, 
four companies (IBM, Intel, MEI and Toshiba) 
proposed a framework where watermarking and 
encryption are the primary technologies for preven- 
ting unauthorized playback or recording. The 
DVD Audio copy protection framework, which 
allows personal copies when authorized by content 
owners, is defined by the following rules: 

• Devices need to have a license to descramble and 
to detect watermarks. 

• Copying is limited to one per recorder unless 
more copies are authorized. 

• Authorized copies must be scrambled to pre- 
vent further copies (Unprotected copies are 



BNSCKXID; <XP 4232133A__I.> 



A.U Kskiciosslu, EJ. Delp / Signal Frocessiug: image Communication 16 (2001) 081-699 



691 



Table 1 

IVnnissiblc iX'I paramclcr sellings 



( • S|xciiics ihe number of. or olhcr conditions for, copies aulhorized \ycr recorder 

N: Number of copies N 1 <defauli value) 
One general ii>n 
No nn>re copies 
No ci»py conirol 

Q Sixcilies ihc maximum sound quality of the permiltcd recording 

('I)-Audio quality (defauU value) 
2-channel full quality 
Multi-cbannel full quality 

H Indicates the aulhoriyiilit>n status for copies of each element of related content 

Aulhori/A:d 

IJnaulhori/ed ^ 

T iSovides optional access control parameters 

Values d*»wnloadcd to the OVD Audio player from the Internet may override ihe CCl on the Audio disc 



allowed on legacy media with restricted sound 
quality). 

• Copying lor personal use is allowed at CD- 
Audio sound quality (Additional copies with dif- 
ferent characteristics niay be authorized by se- 
lecting dilTerent values of CX'I parameters). 

• The CX'l parameter values must be sent securely 
to a licensed recording device together with 
scrambled content. 

• (\Mitent in unscrambled digital or analog form 
can be sent to a licensed recorder with specific 
values of C and O parameters (see below) embed- 
ded in the audio watermark, 

• All outputs of DVD-Audio content except UiC- 
958 and anaU>g from licensed DVD devices must 
be scrambled by an approved system. 

• The robustness of implementation must be sim- 
ilar to that of CSS. 

The CC:i parameters, namely C, R and T, allow 
the content owners to specify on a track by track 
basis the conditions for copying. Their definition 
and a set of permissible values that have to be 
supported by playback and recording devices arc 
given in Table 1. 

The copy protection framework needs the sup- 
port of three systems: 

1, A scrambling system for prerecorded DVD 
Audio discs, 

2. A watermarking system for embedding CCl in 
the content. 



3. A system for creating secure authorized copies. 
Work is in progress to develop these component 
technologies. Specifications of Copy Protection for 
Pre-recorded Media (CPPM), an audio water- 
marking system, and CPRM (for authorized copies, 
see Section 7.3) arc being finalized. 

7.J. Recordable DVDs (RAM/R/Rm 

The DVD Forum WG9, the working group ad- 
dressing copy protection, is in the process of deter- 
mining the components of the security architecture 
for recordables DVDs. A summary of the work is 
given in Table 2. 

Developed by IBM, Intel, MBl and Toshiba, the 
proposal known as Content Protection for Record- 
able Media (CPRM) provides some of the compo- 
nents given in Table 2. Although the CPRM 
technology presently addresses only one DVD 
physical formal (DVD-RAM 4.7 GB) and one ap- 
plication format (video recording), other physical 
and application formats will be considered in future 
revisions. The principal elements of CPRM include 
a private key management system and disc type 
recognition. 

As noted earlier, the first generation DVD 
players were limited to have analog output only. 
There was not an immediate need to protect 
a digital stream leaving a DVD player. In home 
networks, however, there will be several devices 



3NSDOCID:<XP 4232133A I > 



A.M. ICskicufi^ht. EJ. Delp j Signal Processing: hnage Communication 16 (2001) 6iil-699 



(Micluding newer generation of DVD players) with 
iii:-:iial interlaces that need lo be prelected. 



" 4 Ilisftfricu/ look at Dl'D protection 

I III. 6 depicts three systems needed to protect 
DVD contenl in home networks. The CSS 
s*.r;inihles the content before it is recorded on 
a DVD ROM. The first generation DVD player 
»uitpii!s an NTSC^ signal after decryption and 



MPEG decoding. If the DVD player has an IEEE 
1394 interface, the output should be protected by 
a second system (labeled X in Fig. 6, e.g. 5C) that 
performs re-encryption. Being a compliant device, 
the receiving unit (e.g. a digital television) has the 
descrambling engine and the keys for recovering 
the video signal. The third system (labeled Y in 
Eig. 6, e.g. CPRM) is needed for protecting the 
DVD content that was initially encrypted by CSS, 
and re-encrypted by X for transmission across the 
1394 interface. 



I ,il»lc 2 

c'oiiipitnciils i»f ihccopy prtHcclum archilcclurc for recordable DVDs 



( '«Mnp«iiiciit 


Decision 


DiNC iy|x: reei><inition 


Will be impleinenled 




Will be implcmenlcd 


W.iicnnark 


Will be iinpleinenied 


Secure iransinission 


Will be implemented 


1 nci N plion 


Will be implemented 


( iMiipliancc marl; 


Under discussion 


Tickci 


Under discussion - used by a particular walennarking technology 


Aiilliciilic;iliiMi 


licinu studied for the PC environment 


1 iiiipic disc II) 


( inder discussion 



(CSS, 1997) 



liiK-iypicd hy CSS 



CSJ> 



1st generation DVD Player 



DTV 



Decrypted by CSS 


N1 s(r (>u^>ut 


(.'oiiiont 
(Sis*pl:i>^d 


1 C=J> 





(X, 1998) 



(Y, 1999) 



hiu:rypit:d hy CSS 



l;nLT>i»ie<ll)y CSS 



2nd gcneraiion DVD IM;>yt:r 



DTV 



Dccrvpicd bv c:ss 


IJO'I interface 1 


Encrypted by X 


i 

(pn>iected) j 


2iid generation DVD Player 










1394 tmerfacc 


Ettcryptrd by X 


O)roteclod) 



_| Coiiieitt deco'pt^d 
I by X & displa>'cd 



DVD Recorder 



Content dcer>pt«:d by X 
& encrypted by V 



I'ig. 6. Three copy protection systems for DVD protection. 



BNSDOCID:<XP 4232133A. I.> 



A.M. Ktkicioglu. EJ. Defp / SigttuI Processing: Image Communication 16 (2001) 6fSl-699 



693 



7.5. IVatennarking as a reqiiireniefU 
in the CSS license 

Tlic C:SS license includes the fulurc use of a video 
watermarking technology for playback and record- 
ing control. The DVD CCA therefore needs to 
choose a watermarking technology as part of the 
license. The Watermark Review Panel (WaRP) was 
formed in December 1998 to assist CCA in evaluat- 
ing the proposals. It had ten members representing 
the Cn, IT and motion picture industries. 

Tlie seven video watermarking proposals sub- 
mitted to DliSG were merged to form two groups: 
Galaxy (Hitachi, IBM, NHC, Pioneer and Sony) 
and Millennium (Digimarc, Macro vision and Phi- 
lips) I 2 J. The key criteria used in testing these two 
candidates in the summer of 1999 were visibility, 
survivability, false positive rate, piracy, cost genera- 
tional control for one copy, and licensing terms and 
conditions. According to the reports presented at 
the CPTWG meetings. Galaxy and Millennium 
performed similarly in the tests. A major architec- 
tural diiVcrcnce between the two is the scheme used 
for generational control 13]. Galaxy inserts a new 
watermark in the authorized copy, whereas Millen- 
nium processes a "ticket" (auxiliary data) attached 
to the content. In a recent announcement. Millen- 
nium stated that they would also provide a remark- 
ing scheme for copies. The DVD CCA has not 
made a decision yet. 

H. Link protection 

Another piece of the copy protection problem 
that must be solved is the protection of links be- 
tween devices. It is important to note that home 
networks and iheir links are very heterogeneous. 
Many different systems for interconnection exist, 
and more are being added every year. Some exam- 
ples are: lObaseT, lOObaseT, HPNA,'"* IEEE 1394, 
baseband analog, digital visual interface (DVI),** 
various RF LAN standards, USB, IDE, AGP, 
NRSS and ^VSB-remodulation. These protocols 
have difl'erent characteristics (one-way versus two- 



hilp://www.hi>incpna.com/ 
' * hil|j://www.dd wg.org/ 



way, latency, bandwidth, out-of-band control) 
which can render link protection designs infeasible 
for one or many interconnect technologies. 

<V. /. IEEE 1394 interface protection 

The Digital Transmission Content Protection 
(DTCP) specification was jointly developed by 
Hitachi, Intel, MEI, Sony and Toshiba [4]. It 
deiines a cryptographic protocol for protecting 
audio/video entertainment content from un- 
authorized copying, intercepting, and tampering as 
it traverses digital transmission mechanisms such 
as a serial bus that conforms Jo the IEEE 1394 
standard. The use of this specification, and the 
intellectual property and cryptographic informa- 
tion required to implement it, are subject of a li- 
cense. The Digital Transmission Licensing 
Administrator (DTLA) is responsible for establish- 
ing and administering the system described in the 
specification. The DTCP system addresses the 
three DTDG layers in the following way. 

8.LL CCl layer 

The CCl can be carried in two ways: Encryption 
Mode Indicator (EMI) and embedded CCL The 
most significant bits of the synch field of the iso- 
chronous packet header are used for encoding the 
(EMI) bits as follows: 

11: copy-never, 

10: copy-one-gencration, 

01: no-more-copics, 

(K): copy-free. 
CCl can also be embedded in the content stream (to 
be recognized by format-cognizant devices). 

8,1.2. Authentication and key exchange layer 

Two authentication levels are provided: full and 
restricted. Full authentication can be used with all 
types of content protected by the system. Restricted 
authentication is applicable for the protection of 
"copy-one-generation" and *'no-more-copies" con- 
tent only. 

8.L3. Content encjypiion layer 

The M6 [29] cipher is defined as the baseline 
cipher, i.e., the cipher that must be supported 
by all compliant devices for interoperability. It is 



3NSDOCID: <XP. 4232133A. L> 



.'/.A/. I£skicio^lu, EJ. I^lp J Signal Processmg: Image Communication 16 (2001) 6iiI-699 



a symniclric-koy block cipher based on pcrmulation 
and subslitution. Other ciphers such as the Data 
l-iicrypiion Slandard (DliS) |29] and Modified 
Blowlish I 29 1 can also be supported. 

As a result of a request from the content 
providers, a lourth layer has been added to allow 
system renewability. 

«V. /.-/. System rctwwahilily layer 

Since the security of the DTCP system relies on 
the secrets embedded in devices, it is not possible to 
renew the system by replacing the secrets. Renewa- 
bility is therefore implemented using the concept of 
revocation. A Certificate Revocation List (CRL) is 
a list of device IDs identifying the devices with 
Ci>mpromised security | 4J. The DTLA generates 
and distributes such lists in System Renewability 
Messages (SRMs). Devices that support full auth- 
entication receive and store SRMs for device revo- 
cation. SRMs are updated via new content or new 
services in a number of ways. Some alternatives arc 
other compliant devices with newer lists, prere- 
corded content media, and compliant devices with 
external conmuinication capability (e.g. Internet, 
cable or satellite connections). 



9. CEMA and copy protection 

'/ /. Naiional Renewable Security Standard (NRSS) 

The NRSS architecture was developed by 
C"i!MA partly in response to the Telecommunica- 
tions Act of 1996. It provides a means for renewable 
security to be employed with digital consumer elec- 
tronics devices such as digital television receivers 
and digital VCRs. Renewable security encompasses 
upgradeable, extensible, removable and replaceable 
security, allowing the security functionality to be 
separated from navigational devices. Simply stated, 
NRSS allows lor the security system to be replaced 
if it has been hacked. This will be accomplished by 
"smart card'' devices connected to consumer elec- 
tronic devices. 

The NRSS provides two physical designs, known 
as Part A and Part B. Part A dcfmes a removable 
and renewable security element that is an extension 



of the ISO-7816 standard i:22]. Part B defines a re- 
movable and renewable security element based on 
the PCMCIA rPC Card") form factor. The com- 
mon attributes allow either an NRSS-A or NRSS-B 
device to provide security for applications involv- 
ing pay and subscription cable or satellite television 
services, telephony, and all forms of electronic 
commerce. 

The main diflerences between NRSS-A and 
NRSS-B devices are the range of ca pa bih ties and 
the capacity for extension. The NRSS-A interface is 
limited to 8 electrical contacts using serial com- 
munication, whereas the NRSS-B interface uses 68 
electrical contacts and parallel^cQmmunication. In 
general, the NRSS-A device could be smaller and 
less costly, while the NRSS-B device could be more 
robust and extensible. 

) 

9.2, Interface protection 

CEMA has standardized four interfaces for de- 
vice interconnection: lEEK 1394 interface, RF 
Remodulator interface, NRSS interface, and analog 
component video interface.^ 

1. EIA'775\ This standard [15] defines a specifica- 
tion for a baseband digital interface to a digital 
television. It is based on the IEEE 1394 Stan- 
dard for High Performance Serial Bus [32]. 

2. EIA-762 and EIA-761: These standards [16,17] 
define minimum specifications for a one-way 
data path utilizing an 8 vestigial sideband (VSB) 
or a 16 VSB remodulator in compliance with 
ATSC Standard A/53 Annex D [1]. 

3. EIA-679: This standard [12] defines a specifica- 
tion for a national renewable security standard. 
It provides an architecture to allow the condi- 
tional access functionality to be detached from 
consumer electronics devices. 

4. EIA'770.2 and EIA'7703: These standards 
[13,14] define the specifications for standard 
definition and high definition analog compon- 
ent video interfaces, respectively. 

Several CEMA working groups have worked on 
the protection of these interfaces. A summary of 



''HI A Standards are available ai hUp://www.cia.org for 
a nominal ree. 



BNSEXDCIO: <XP 4232133A_L> 



A.M. Eskicioglu, E.J. Deip I Signal Processing: image Communication 16 (2001) 681-699 



695 



Tabic 3 

Working groups for interface protcclion 



Working Group 



Interface 



R4.S WG2 



R4.8 WG5 



C:ir:MA/NCTA JLC NRSS 
Subcommilicc WG2 



IFJiE 1394 and RF Rcmod 



Analog component video 



NRS^ 



Work done 



Issued a CI- 1 on 4 November I9f>8. Gathered 
infonnalion on 5 proposals: 5C, MR.I Technology 
Solutions, NDS, Philips and Thomson/Zenith. 
Published a report [28] summarizing the 
proposals 

Issued a CIT on 2 March 1999. Gathered 
infonnation on 5 proposals: C-Cubc, Galaxy, 
Macrovision, Philips and EchoStar. Published 
a report \S\ summarizing the proposals 

Defined a framework [12] for protecting the 
content across the NRSSnrilcrfacc. Five copy 
protection systems, all numbered for 
identification, support the common framework: 
No.l Thomson, No.2 OpcnCablc, No.3 NDS, 
No.4 5C and No.5 Philips 



this work is given in Table 3. R4 is Ihe Video 
Systems Committee within CEMA. R4.8, a sub- 
committee reporting to R4, is responsible for all 
digital interfaces including their protection. The 
Joint Engineering Committee (J EC) was formed by 
CEMA and NCTA^^ lo work on technical issues of 
common interest. 



10. Global architectures for copy protection 

As mentioned in Section 2, two distinct ap- 
proaches have been proposed for copy protection: 

(a) integration of specific solutions, 

(b) a global solution. 

10,1. CPSA 

The Copy Protection System Architecture 
(CPSA) presented by IBM, Intel, MEl and Toshiba 
is an example of the first category. In CPSA, the 
original secure source is either pre-recorded DVD 



» 3 National Cable Television Assoeiation (hup://www.neta. 
eoin/.) 



or electronic distribution. The content, audio or 
video, is protected by a group of component tech- 
nologies including CSS (for video), CPPM (for 
audio), CPRM, DTCP, and audio and video water- 
marking. 

10,2. XCA 

A representative example of the second category 
is the global architecture proposed by Thomson 
and Zenith. The XCA Copy Protection System 
Specification defines a system for providing local 
security of audio and video content during trans- 
mission and storage in digital home networks. This 
task is accompUshed by mapping the three basic 
controls, namely, "playback control", '^record con- 
trol" and "one-generational control" into "viewing 
control". Under the XCA system, content of eco- 
nomic value is always scrambled - either under the 
control and responsibility of the distributor or 
within the confines of the consumer's home net- 
work. XCA allows recording of XCA protected 
content in all conditions. Authorized copies are 
processed for descrambling and viewing only in 
licensed devices. 

XCA has been developed for use with one- 
way and two-way digital interfaces. It is primarily 



3NSOOCID: <XP 4232133A„I_> 



696 



A.M. Eskicioglu, /;,./. Delp / Signal Processing: Image Communication 16 (2001) 6ifI-699 



C'onlcnl 
Source 



Private Conditional Access 
Protected Content 



Local XCA Protected Content 



Local 
Home Network 



A k.- cess 



Prcsciitaliun 
IX' vice 



Digital 
Recording t)c\'icc 
iCA Domain) 



Digital 
Recording Dcvicu 
(XCA Domain) 



Content Scrambling 
Process 



Entitlement and Control 
Word Process 

Fig. 7. XCA system model. 



Content Descnunbling 
Process 



a replaceable copy protection system to be used 
with renewable security devices such as smart cards. 

There are three areas of technical compliance in 
the XCA specification: 

• functional compliance of device elements, 

• compliance of bit streams at the NRSS interface, 

• compliance of bit streams at the level of XCA 
Presentation Device interconnection. 

The XCA Licensing Authority is the entity respon- 
sible for administering the copy protection system. 
An XCA consumer electronics (CE) Device is a de- 
vice lliat may perform either or both of the follow- 
ing, optionally in conjunction with a renewable 
security device: 

• Creation of XCA protected bit streams from 
non-XCA protected programs, 

• Descramble portions of XCA protected bit 
streams. 

Two XCA CE devices and two removable security 
devices have been defined with specific functional- 
ities. These normative device types are: 

1. Access device: creates XCA protected content, 
either alone or in conjunction with a renewable 
security device, 

2. Presentation device: descramblcs XCA protected 
content, either alone or in conjunction with a re- 
newable security device, 

3. Converter card: a renewable security device that 
can create XCA protected content from private 
Conditional Access (CA) protected content. 



4. Tenninal card: a renewable security device that 
can descramble XCA protected content. Its out- 
put is compatible with the XCA NRSS interface 
protection system. 
A digital recording device is a device that is able to 
store or playback XCA protected bit streams, but is 
unable to create or descramble XCA protected bit 
streams. Devices that perform digital recording or 
playback in combination with XCA creation or 
XCA descrambling shall be classified as an XCA 
CE Device. 

The block diagram in Fig. 7 shows the basic 
XCA system architecture. In principle, XCA 
concerns itself with the protection of "after'' 
purchase content in the home. The local access and 
presentation devices are the two essential elements 
to access, convert and display copyrighted content. 
The local digital recording device can be used in 
both CA and XCA domains for storing CA or XCA 
content. 



10.3, Canal and NDS 

Canal + and NDS are two of the leading CA 
providers promoting a copy protection architecture 
similar to XCA. In this architecture, a security 
module coordinates all the control communica- 
tions between connected compliant CE devices, 
and manages the viewing rights as well as recording 



eNSDOCID: <XP 4232133A_I_> 



A.M. Eskicioglu, EJ. Delp j Signal Processing: Image Communication 16 (200 J) 6Si-699 



697 



righls associated with prelected data. The security 
module is cither a stand-alone device or a removable 
card embedded in a C\i device in the home net- 
work. The main features of the proposed system 
include: 

1. secure authenticated channel between the secur- 
ity module and the connected devices, 

2. transformation of global entitlement control 
messages (ECMs) to personal ECMs, 

3. renewable security, 

4. revocation of hacked devices. 



11. Secure di»ital music initiative 

The Secure 'Digital Music Initiative (SDMI) is 
a forum that brings together the worldwide record- 
ing, consumer electronics and information techno- 
logy industries to develop specifications for secure 
distribution of music in digital form [18]. The 
mission of SDMI is to enable consumers to conve- 
niently access music, artists and recording com- 
panies to protect their intellectual property, and 
technology and music companies to build success- 
ful businesses in their chosen areas. 

SDMl's first achievement is a specification for 
portable devices. The longer-term project is to 
complete an overall architecture for delivery of 
digital music in all forms. 

The SDMI Portable Device Specification Part 1 
(version 1.0) [18] contains implementation require- 
ments and reference models for three functional 
components: 

1. Applications: Perform tasks such as content im- 
port, hbrary management, playback and rights 
management 

2. Portable devices and portable media: Store pro- 
tected content and play it back. 

3. Licensed compliant modules: Act as interfaces 
and translators for communications between 
applications and portable devices/portable 
media. 

Compliance with the specification is voluntary. It is 
envisioned that the final specification will use 
a combination of encryption and watermarking. 
The subsequent parts will describe higher genera- 
tion portable devices, and a generalized framework 
for SDMI componenls. 



12. The US cable industry 

The Telecommunications act of 1996 mandates 
that the US cable industry make 'navigation devi- 
ces' commercially available to consumers. The P^ed- 
eral Communications (X^mmission (FCC) issued 
a report and order in 1998 to implement this re- 
quirement. This has led to the OpenCable effort in 
the US. From the viewpoint of CE manufacturers, 
the OpenCable system has two focal points: the 
interface from a CE "host'' to an OpenCable POD 
(point-of-deployment) module, and an interface 
from a CE device to an OpenCable settop box 
(which itself is probably a POI^Jiost). 

OpenCable standards are crciated by Cablel^bs, 
which is funded by member cable-operators. Cable- 
Labs privately works with vendors of its choosing 
to create OpenCable standards, gain approval from 
their member cable operators, and then submit 
these standards to the Society of Cable Telecom- 
munications Engineers (SCTE) for approval as an 
ANSI standard. OpenCable has defined copy pro- 
tection systems for both the POD-Host interface 
and IEEE 1394. 



13. Conclusions 

The following conclusions can be drawn from 
our overview of copy protection in consumer elec- 
tronics devices: 

1. Device interoperability is essential: The standard 
interfaces developed for analog and digital sig- 
nals will guarantee device interconnectivity in 
home networks. Nevertheless, some of the sys- 
tems developed for copy protection are not com- 
patible, and do not provide interoperability. 
This may present a potential problem for the 
consumer who may have to know what services 
are protected by which copy protection systems, 
and identify the consumer devices supporting 
those systems. 

2. Encryption-based technologies provide *'condi- 
tional" security: The difficulty in attacking 
cryptographic tools (ciphers, authentication and 
digital signature methods) is based on today's 
computational resources. With the ever increas- 
ing power of computing devices, today's secure 



3NSDOCID: <XP 4232133A_I. > 



AM. Eskicioglu. EJ. Delp / Signal Processing: Image Communication 16 (200 1) 681-699 



systems will undoubledly no longer be robust in 
the future unless they are upgraded. 

3. IVaiennark-hased technologies may require legis- 
lation: Watermarking may require legislation 
with respect to whether the watermark must be 
delected. In the absence of a law, non-compliant 
devices in the market place can be used for 
circumvention. Watermarks may prove useful if 
implemented as a second line of defense compli- 
mentary to encryption. 

4. The 3 major industries (CE, IT&MP) tend to have 
conflicting requirements: This is an ironical situ- 
ation. The MPAA expects robust solutions 
(which arc expensive and complex), the CE com- 
panies need the least expensive solutions, and 
the IT industry desires to implement everything 
in software. 

5. Consensus is needed: To reach a common set of 
goals, the participating industries need to agree 
on certain legal and technical issues, opening the 
avenues for progress and closure. 

After more than four years of work on copyrighted 
digital content protection, there are still some issues 
that have not been addressed. Some of the prob- 
lems that require clTcctive and efiicient solutions in 
the near future are the following: 

• High Definition DVD: More robust methods 
may be needed for this type of content. 

• DVB content: Conditional access and copy pro- 
tection systems are being developed in Europe. 

• ATSC terrestrial TV broadcasting: A framework 
lias been specified. Private conditional access 
systems will co-exist. 

• Digital audio: SDMI will provide a framework 
for the secure distribution of digital music. 

• Content distributed over the Internet: No pub- 
hshed standard for streaming or downloaded 
video or other type of content. 

We would like to hope that copy protection will 
not be a roadblock for successful deployment of 
digital television. The "digital world'' brings many 
advantages, but also many interesting problems. 

Acknowledgements 

We would like to thank Dave DufReld of Thom- 
son Consumer Electronics for his contributions to 
several sections of this work. 



References 

I 1 J Advanced Television Standards Commillee (ATSC) Stan- 
dard A/53, available at http://www.alsc.org. 

1 2.1 A. Bell, The dynamic digital disk, IEEE Spectrum 36 (10) 
(October 1999)28-35. 

13] J.A. Bloom, IJ. Cox, T. Kalker, J-P.M.G. Linnarlz, M.L. 
Miller, C.B.S. Traw, Copy protection for DVD video» 
Proc. IEEE 87 (7) (July 1999) 1267-1276. 

[4] 5C Digital Transmission Content Protection, available at 
h u p://w ww.d tcp.com/. 

I 5] Compilation of Responses to Further CFI on DTV Ana- 
log Component Video Interface, available at http://www. 
cemaci t y.o rg/wo rks/pu bs. 

[6J I. Cox, J. Kiiian, F.T. Leighton, T. Shamoon, Secure spread 
spectrum watermarking for multimedia, IEEE Trans, on 
Image Process. 6(12) (I>ecember^l997) 1673-1687. 

[7j D.W. Davics, W.L. Price, Security for Computer Net- 
works, Wiley, New York, 1989. 

[8] D.E.R. Denning, Cryptography and Data Security, 
Addison- Wesley, Reading, MA, 1983. 

[9] W. Diffie, M.E. Hellman, New directions in cryptography, 
IEEE Trans, on Inform. Theory 22 (6) (November 1976) 
644-654. 

[10] W. Diffie, M.E. Hellman. Privacy and authentication: an 
introduction to cryptography, Proc. IEEE 67 (.3) (March 
1979) 397-427. 

[]]] Digital Millennium Copyright Act, available at 
http://lcweb.loc.gov/copyright. 

[12] EIA-679B National Renewable Security Standard, Sep- 
tember 1998. 

[13] EI A 770.2 Standard Definition TV Analog Component 

Video Interface, September 1998. 
[14] EIA 770.3 High Definition TV Analog Component Video 

Interface, September 1998. 
[15] EIA-775 DTV 1394 Interface Specification. December 

1998. 

[16] EIA-761 DTV Rc-modulator Sf-Kxification with Enhanced 

OSD Capability, November 1998. 
[17] EIA-762 DTV Re-modulator Specification, August 1998. 
[18] Guide to SDMI Portable Device Specification, available 

at http://www.sdmi.org. 
[19] F. Hartung and M. Kutter, Multimedia watermarking 

techniques, Proc. IEEE, 87 (7) (July 1999) 1079-1107. 
[20] M.E. Hellman, An extension of the Shannon theory ap- 
proach lo cryptography, IEEE Trans. Inform. Theory 23 

(5) (May 1977) 289-294. 
.[21] Interim Report, Results of Phases I and II, Data Hiding 

Subgroup, Version 0.15, 16 April 1998 (available at 

http://www.dvcc.com/dhsg). 
[22] ISO 7816-1 - Identification cards - integrated circuits 

cards with contacts. ISO 1987. 
[23] .1. Menezcs, P.C. van Oorschot, S.A. Vansionc, Handbook 

of Applied Cryptography, CRC Press, Boca Raton. FU 

1997. 

[24] F.A.P. Petitcolas, RJ. Anderstm, M.G. Kuhn, Information 
hiding - a survey, Proc. IEEE 87 (7) (July 1999) 1062-1078. 



BNSCXXID: <XP 4232133A_L> 



r 



A.M. Eskicioglu, EJ. Delp / Signal Proces 

1 251 <' >*• l^llLVgcr, Security in Computing, Prenlice-Hall, 
l-nukwiuKl Cliffs, NJ, 1989. 

A. Pressman, Hollywood sues sites over DVD software, 
Kcuicrs. 14 January 2000. 
\21\ Review and I'indings of Submitted Proposals, Digital 
Transmission Discussion Group, Version l.U, H Novem- 
Inrr PW7. 

I 2N I Review of Information Submitted in Response to the CFl, 

R4.X Working Group 2, 30 July 1999. 
1 2*> I B. Scbncier, Applied Cryptography, Wiley, New York, 1996. 



Image Communication 16 (2001) 6S1-699 699 

[30] C.E. Shannon, Communication theory of secrecy systems. 

Bell Systems Tech. J. 28 (October 1949) 656-715. 
[31] M.D. Swanson, M. Kobayashi, A.M. Tewfik, Multimedia 

data-embedding and watermarking technologies. Proc. 

!EEK S6 (6) (June 1998) 1064-1088. 
[32] I.J. Wickelgren, Facts about firewire, U.VM Spectrum 7A 

(4) (April 1997) 19-25. 
[33] R.B. Wolfgang, C.I. Podilchuk, t:.J. Delp, Perceptual 

watcnnarks for digital images and video, Proc. \V.E\i 87 (7) 

(July 1999) 1108-1126. 



3NSDOCID:<XP 4232133A_I > 



THIS PAGE BUNK (USPTO 



